Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

New Job Role Manages IT Risks

James Lam preaches a religion sure to scare many corporate executives: that compliance with the Sarbanes-Oxley Act is just the beginning of the reforms corporate America needs to make.

Inspired by his tenure as chief risk officer for Fidelity Investments in the 1990s, Lam envisions a paradise of automated risk management—where companies can measure potential threats to their business and gauge how likely those risks are to occur.

Still, for all the lofty goals enterprise risk management entails, Lam said executives must first solve a puzzle at the heart of IT and personnel management.

"How," Lam asked, "do you get to the information to develop a composite picture of the risk facing the company?"

"This is absolutely vital, because the alternative is adding more and more people to the end of a business process to manage risk," says Mark Lindig, head of KPMG LLPs information risk management practice. Considering the surge in regulations surrounding risk, such an approach is simply not feasible for large businesses. "You cant go through this year after year."

More and more companies are trying not to. Despite the exhaustion of SarbOx compliance efforts, a new wave of enterprise-risk projects is taking root. A few examples:

• Laclede Gas Co., a $1.2 billion gas utility in St. Louis, last year established a three-person "department of risk and control services" to graft lessons learned from SarbOx onto a broader effort to manage risk.

• Houston-based trash disposal company Waste Management Inc. just assigned its head of internal audit to conduct a companywide risk assessment this year.

• SCM Microsystems Inc., a $49 million maker of smart-card security systems in Silicon Valley, now uses its SarbOx compliance systems to tackle other risks such as hazardous-waste reduction.

The goal for these projects is identical: moving from manual processes that detect risks after a breach occurs to automated processes that prevent those risks from growing unchecked in the first place.

The trick is how to get there when responsibility falls across numerous corporate departments, and executives already face a dizzying array of tools to track the necessary data.

"I think its appropriate to have a consolidated point of oversight, reporting at a very high level within the organization," said Ted Frank, president of Axentis Inc., a maker of governance software in Warrensville, Ohio. "Not to manage the process, but to define best practices and help guide the organization to the best decision."

No matter what the approach, IT executives can expect to find themselves in the cross hairs.

Elizabeth Hackenson said she found herself in the cross hairs at MCI Inc. last year. As CIO of the $20 billion long-distance carrier, she was instrumental in helping the company document its internal controls by years end to comply with SarbOx—but she was not the executive in charge of the project. That responsibility fell to MCIs chief financial officer.

Hackenson said she acted more as a liaison and consultant, advising the CFO on how best to automate MCIs controls and leading the 250 IT employees assigned to the project.

For example, she said the CFO and his SarbOx specialists had decided that MCI had to restrict user access privileges based on a workers job function. Then, Hackenson said, "he allowed me to figure out the solution from an IT perspective to implement those user controls."

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.